MEDIUM 5.4

CVE-2026-45580: WWBN AVideo Stored XSS in Live Plugin Stream Key

WWBN AVideo, an open-source video streaming platform, contains a stored cross-site scripting (XSS) vulnerability in its Live plugin. A user with streaming permissions can inject malicious JavaScript into the stream configuration, which then executes in the browsers of anyone—logged-in or anonymous—who views that live stream. The vulnerability persists because user-controlled input (the stream key) is inserted directly into an HTML class attribute without proper sanitization.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
1 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a stored cross-site scripting vulnerability. The Live plugin's "YouTube-style" view renders the live transmission's stream key into an HTML class attribute by raw echo, without htmlspecialchars(). A canStream user can persist a key containing " plus an event handler via plugin/Live/saveLive.php, and any visitor (logged in or anonymous) opening the stream's live page executes attacker JavaScript in the platform origin.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The Live plugin in WWBN AVideo 29.0 and earlier fails to sanitize the stream key before rendering it into an HTML class attribute in the 'YouTube-style' view. An authenticated user with canStream privileges can manipulate the stream key via plugin/Live/saveLive.php to include a quote character followed by an event handler (e.g., " onload="..."). When the live stream page loads, the injected event handler executes in the context of the platform's origin, allowing theft of session cookies, credential harvesting, or malware injection. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation).

Business impact

This vulnerability poses a risk to platform availability and user trust. An attacker with streaming permissions can compromise any visitor to the platform, including administrators. Potential impacts include unauthorized access to user accounts, theft of sensitive data, defacement of the platform, or deployment of malware to users' machines. For organizations running AVideo as a shared or public service, this enables lateral movement within the user base and may violate compliance requirements around data protection and incident reporting.

Affected systems

WWBN AVideo version 29.0 and all earlier versions are affected. The vulnerability is isolated to the Live plugin's YouTube-style view rendering. Systems running patched versions or those that have disabled the Live plugin are not affected. Verify your current AVideo version in the admin dashboard.

Exploitability

Exploitation requires a user account with canStream privileges—typically a content creator or administrator role. The attacker then modifies the stream key through the saveLive.php endpoint. No network-level access, authentication bypass, or user interaction beyond viewing the stream is required for the injected script to execute. The low attack complexity and reliance on relatively common permissions make this moderately exploitable in multi-user environments.

Remediation

Upgrade WWBN AVideo to a patched version that sanitizes stream key output using htmlspecialchars() or equivalent context-aware encoding before rendering into HTML attributes. Until patching is possible, restrict canStream permissions to trusted users only, and consider disabling the YouTube-style view or the Live plugin entirely if not actively used. Implement Content Security Policy headers to mitigate XSS impact.

Patch guidance

Check the official WWBN AVideo repository and security advisories for patched versions released after 2026-06-17. Apply the update to the platform codebase, verify the Live plugin's rendering code includes proper HTML entity encoding for user-controlled attributes, and test the live stream view with sample stream keys containing special characters. Restart the AVideo service after deployment.

Detection guidance

Monitor web server and application logs for POST requests to plugin/Live/saveLive.php containing quote characters, angle brackets, or event handler keywords (onload, onerror, onclick) in the stream key parameter. Use a Web Application Firewall (WAF) to block payloads matching XSS patterns in the Live plugin endpoints. Periodically audit configured stream keys in the database for suspicious characters or event handlers. Check browser console logs on user machines for unexpected script execution during live stream viewing.

Why prioritize this

Although rated MEDIUM severity (CVSS 5.4), this vulnerability should be prioritized because it affects all platform visitors regardless of role, can escalate attacker access through credential theft, and exploits a common user action (viewing a live stream). The requirement for low-level streaming privileges means many organizations may have affected users. Patching is straightforward and should be scheduled promptly.

Risk score, explained

The CVSS 3.1 score of 5.4 (MEDIUM) reflects: low attack complexity and no special privileges required for exploitation beyond basic streaming rights; network-accessible vector; limited direct confidentiality and integrity impact to individual sessions; and no denial-of-service capability. However, the scope is changed (cross-site), and the platform-wide reach elevates practical risk above the numeric score in multi-user deployments.

Frequently asked questions

Do I need to be logged in to be affected by this vulnerability?

No. The injected JavaScript executes for any visitor to the compromised live stream page—both logged-in and anonymous users are vulnerable. However, the attacker must have a platform account with streaming permissions to inject the payload.

Can this vulnerability be exploited without modifying the stream key?

No. The attacker must have canStream privileges and use the saveLive.php endpoint to inject the malicious stream key. General visitors cannot trigger the vulnerability on their own.

What happens if my organization uses AVideo but never enables the Live plugin?

You are not affected by this specific vulnerability. However, verify that the plugin is truly disabled in your configuration and that you are running a current version of AVideo for other potential issues.

Does Content Security Policy alone prevent this attack?

A well-configured CSP can mitigate the impact by blocking inline scripts or restricting script sources, but it is not a substitute for patching. CSP should be layered as a defense-in-depth measure alongside proper input sanitization.

This analysis is provided for informational purposes to help security teams assess and remediate the vulnerability. SEC.co makes no warranty regarding the completeness or accuracy of patch information. Organizations should verify all patch versions and guidance against the official WWBN AVideo security advisories and documentation. The vulnerability status, affected versions, and remediation steps may change as vendor updates are released. Always conduct testing in a non-production environment before deploying patches. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).